As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security, as explained in this article, acts as a key parameter that affects business risk. This is explored in this article in the context of the lottery sector.

The academic definition of information security is the “preservation of confidentiality, integrity and availability of information.”¹ Confidentiality is the preservation of secrecy of information (e.g., business reports, technical designs or financial projections) by ensuring that viewing is conducted solely by authorized people. Integrity is ensuring that information is accurate and consistent and has not been manipulated. Availability ensures that information is accessible to authorized people when needed.

Historically, information security has been addressed primarily as a technical issue. Preventive controls—such as firewalls, user access control mechanisms, encryption of data and communications, digital signatures, data backup systems, and detective controls such as intrusion detection systems or security monitoring platforms—have formed the basic components of security architecture. Often, the technical controls were complemented by a set of security policies, procedures and guidelines aimed at controlling the actions of personnel.

This approach, though, has proven to be insufficient. Security incidents continue to rise and security problems seem unsolved while information security experts have been challenged to effectively communicate the value of information security to enterprise management.

The root cause of these problems may be the definition of information security itself. There is a lack of consistency as each sector, industry and even enterprise has had to define information security uniquely, based on very specific business needs. This lack of consistency has contributed to a lack of understanding and a lack of appreciation for the value of information security.

This article presents the definition of information security in the lottery sector and, specifically, in a case study of GIDANI, the National Lottery of South Africa.

Information Security Defined

To define information security in the lottery sector, one must understand its business objectives, identify stakeholders and link them to information protection attributes.

Lotteries sell games to the public. These games have to be trusted to achieve customer (player) acquisition and retention, which directly affect the lottery’s revenue. Player trust is a key success factor that is directly related to:

• Game integrity—Each game is conducted as described in its official rules. It is fair to the players, the draw results are integral, and winners are selected and paid according to the game rules. Information integrity (avoiding data manipulation) is a key information security component related to player trust.
• Player asset protection—Players need to be confident that their money, credit card numbers and bank account numbers are safe. Especially in online gaming, in which player participation is conducted with electronic funds, players have to trust the lottery for securing their financial assets. Confidentiality, integrity and availability are crucial security parameters.
• Player privacy—Players, and especially winners, provide their personally identifiable information (PII) to lotteries. As in player asset protection, trust in the lottery is important for making the player feel comfortable with sharing such information. Trust is particularly important when dealing with large winning amounts because players have to feel safe and their personal data have to be protected.

Providing lottery games to the public also has societal and political facets. Lotteries are usually controlled directly by the local government and are always subject to a regulatory and legal framework. The provision of secure and fair lottery games to citizens is a matter of social responsibility. Moreover, the government is a shareholder of the lottery (directly or indirectly though taxing); thus, a lottery’s business success affects the corresponding governmental revenue.

The aforementioned facts are clarified in relation to information security when the drivers of shareholders’ trust are studied in more detail. For example:

• Each licensed lottery has to comply with rules and terms of the license, which in turn have general or more detailed information protection requirements. These vary from general statements for game fairness, antifraud rules and service availability requirements to more detailed technical controls such as network security rules, operating security policies or certification requirements. Shareholders need to be confident that the lottery complies with the license obligations and, more generally, the legal and regulatory framework, since this is a main corporate viability factor.
• In competitive environments where more than one lottery operates in the same region or illegal gambling is present, information security acts as a competitive advantage that, in turn, ensures customer acquisition. Shareholders trust the lottery if it operates as a competitive corporation, and due to the importance of protecting the game and lottery information from breaches, information security becomes a competitive parameter.
• Shareholders are risk-averse entities in relation to the lottery’s brand name. They need to be assured that the lottery brand name is resilient to information security threats that may cause reputation loss.

In relation to the business role of information security in the lottery sector, the following definition can be deduced: Information security is defined as a driver of:

• Stakeholders’ trust, driven by:
    – Shareholders’ trust, driven by:
      ·Corporate viability, which is driven by compliance of lottery license terms
      ·Competitive advantage, which ensures customer acquisition
      ·Brand name value preservation, which ensures customer retention
      ·Legal and regulatory compliance (e.g., the integrity of financial records and PII protection)
    – Players’ trust, driven by:
      ·Game integrity
      ·Service availability
      ·Protection of the confidentiality of customers’ sensitive information

Using this definition of information security for the lottery sector, a holistic approach is required for addressing the information security requirements of each unique lottery. This, in turn, requires a detailed lottery business analysis for embedding information security into the specific business processes of the lottery and for addressing the human factor and minimizing the uncertainty it introduces. International security standards provide the basis toward that direction.

Lotteries and the Information Security Standards Landscape

In 2006, the Security and Risk Management Committee of the World Lottery Association (WLA)² published the most recent version of its Security Control Standard (SCS). This standard describes a number of information security controls (technical and procedural) tailored to the lottery sector. Indicatively, it includes rules regarding the management of lottery draws and protection of prize money and Internet gaming systems. WLA SCS is an extension of the globally recognized information security standard ISO 27001 of the International Organization for Standardization (ISO),³ which is related to the establishment of information security management systems (ISMSs). Such systems provide the framework for managing information security from planning to implementation, monitoring and improvement.

ISACA has published a set of information technology (IT) auditing standards and the Risk IT: Based on COBIT^® framework,⁴ which provides a set of guiding principles for effective management of IT risk. Risk IT complements COBIT^®,⁵ a comprehensive framework developed by ISACA for the governance and control of business-driven, IT-based solutions and services. In 2009, ISACA published An Introduction to the Business Model for Information Security, the first publication released under the Business Model for Information Security™ (BMIS™),⁶ which addresses information security from a business perspective, and in 2010, the full model was published as The Business Model for Information Security.

Other standards include the Payment Card Industry Data Security Standard (PCI DSS),⁷ a set of requirements for enhancing payment account data security, and the Special Publications (800 series) of the US National Institute of Standards and Technology (NIST),⁸ which are documents of general interest to the computer security community.

The aforementioned standards provide an indicative view of the information security standards landscape. Other standardization bodies and associations provide their own guidelines in the field. In addition, technical security best practices of system vendors provide additional guidelines.

The modern lottery sector has to select the information security standards to use as a basis for its security architecture, and it must customize this selection according to its specific business needs.

Basic Processes

Studying the information security standards horizontally, a number of basic processes/steps that lead to the identification of information security requirements are identified, including:

• Step 1:  Business impact analysis—Each lottery business process is recorded and analyzed in terms of business impact from the realization of a possible security threat. For example, the monetary, reputational or legal impact is calculated in the scenario that a container of instant tickets (also known as scratch cards, used for games in which the players instantly know if they have won or not) is stolen. The lottery must answer a number of questions to calculate the impact, for example:
    – How much would this cost the lottery in monetary terms?
    – What would be the indirect costs (e.g., from reputation loss) if the stolen tickets are sold?
    – What would be the legal implications, if any? Business processes are then prioritized based on an impact scale that identifies the most critical issues.
• Step 2:  Risk analysis—During this process, the possibility for the occurrence of a security incident is calculated, based on a database of security weaknesses. The risk analysis takes into account technical and procedural parameters, for example:
    – Are there technical controls in place to cancel the set of stolen instant tickets?
    – Do procedures exist to complement the technical security controls (e.g., timely theft identification during the shipment process)?
• Step 3:  Risk management—The result of the risk analysis is a prioritization of risk in relation to the impact level (the result of the business impact analysis) and the identification of possible security measures for addressing the risk. The risk management process—the selection of appropriate security measures for addressing the risk or for risk transferring or acceptance—is determined by the management of the lottery.
• Step 4:  ISMS implementation—After the controls have been selected, they should be correlated under a common ISMS. This correlation requires deep understanding of the operation of the lottery; consideration of human, cultural, technical, business and external factors; and continuous improvements.

BMIS

One of the most recent information security frameworks that addresses information security from a business point of view is ISACA’s BMIS, illustrated in figure 1.

The following definitions of the BMIS elements (derived from An Introduction to the Business Model for Information Security)⁹ are necessary for understanding how BMIS works:

• Organization design and strategy—An organization is a network of people, assets and processes interacting with each other in defined roles and working toward a common goal.
• People—The people element represents the human resources and the security issues that surround them. It defines who implements (through design) each part of the strategy. It represents a human collective and must take into account values, behaviors and biases.
• Process—Process includes formal and informal mechanisms (large and small, simple and complex) to get things done.
• Technology—The technology element is composed of all of the tools, applications and infrastructure that make processes more efficient.

To understand the operation of BMIS in practice, it is important to study the links connecting organization design and strategy, people, process, and technology. The following case study provides an example of the operation of the model in the lottery sector.

Following a Holistic Approach
As an innovator in the lottery information security field, GIDANI has implemented a business model to understand and to more deeply address its information security needs and to make them an integral part of its business processes.

GIDANI has deployed a customized ISMS, following a combination of international security standards. The GIDANI ISMS includes all rules, procedures and information security management principles regarding security organization, asset management, human resources security, access control, physical security, communications security, operations security, compliance, incident management, business continuity management and system security, covering its whole development life cycle. Moreover, specific procedures have been applied regarding lottery game integrity and instant ticket security. The following paragraphs outline how the dynamic interconnections of BMIS (noted in bold) relate to the GIDANI ISMS.

Information security at GIDANI is an integral part of the business strategy of the lottery. Governing all information security activities is the responsibility of an executive committee chaired by the chief executive officer (CEO). Strategic plan execution, including a strategy definition as a result of business analysis (e.g., information security analysis in the life cycle of a new game development); resource management; and lottery operations are controlled by the executive committee that monitors security performance, value delivery and risk levels of all integrated information security controls. This structure provides a good practice for expressing management commitment and control, having information security as a top priority in the operation of the lottery.

Architecture is based on a lottery-specific threat model that serves the security requirements of all critical business processes as identified through governing. For example, there are technical controls in place for protecting game integrity, controlling access to lottery business reports, securely managing game configuration, establishing secure communication lines for game transactions (communication between the central system and terminals at the point of sale), isolating the computer room physically and ensuring game continuity by the implementation of a disaster recovery site.

Enabling and support represents how security processes are automated by the use of technology, and also which processes are used to complement automated security controls and to evaluate and improve them. GIDANI has automated all lottery-related processes by the deployment of the lottery system. Transaction engine (ticket processing) security configuration, support and operation are implemented by a number of written and continuously improved processes. Simultaneously, there is a security technology evaluation process in place that is used for calibrating and extending lottery system security for addressing business needs. For example, the business need for providing Internet gaming goes through a security assessment of the current technology. In this assessment, automation controls are identified (such as the player identity management mechanism) and complemented by manual procedures (e.g., review of player access rights) following official GIDANI rules. Since selling lottery games through the Internet has been identified as a key business enabler in governing, information security controls have become a priority.

Human factors affect both architecture and enabling and support. For example, if an operator at GIDANI is managing roles within the lottery ticket sales monitoring application, this operator may find the role management system too cumbersome and complex to use (human factors). This is reported as feedback to the security officer, who asks for the assessment of the whole process and technology (enabling and support) to identify opportunities for improvement. This assessment will take into account the whole architecture as well, identifying the impact on other components of the system. One improvement may relate to the extension of the security training program of GIDANI. Another may relate to the reconfiguration of the security control or its replacement.

Culture is an element of the GIDANI security model that has a tremendous positive effect in making information security work in practice. GIDANI is characterized by a clear set of hierarchy levels with the roles of each level having been defined accurately and supported by specific operational procedures. The management model, as defined by the governing dynamic interconnection, encourages free communication at all levels of personnel, and especially encourages feedback on the security operations. That means that GIDANI has “low power distance” in terms of free communication of information security matters from the bottom to the top of the hierarchy. For example, if employees identify difficulties in implementing a security process or using a security technology, they freely report it to the security officer to investigate the improvement of the process. At the same time, if employees identify a security incident (e.g., confidential gaming information left in a meeting room), they report it immediately as a security incident. This reporting is not translated as an offensive action between employees, but instead as a collective action, giving the opportunity to management to take preventive or corrective actions.

Emergence is one of the most important dynamic interconnections of the business model since it deals with the uncertainty factor in information security at GIDANI. Due to human nature, the execution by people of processes within a corporation cannot be characterized as deterministic. Despite the detailed procedures, people sometimes act in an ad hoc manner and make mistakes. Emergence can be defined as “the developments and patterns that arise in the course of process execution by people.”¹⁰ While no one can ensure the absence of security incidents, there are solutions through the study of emergence that limit the possibilities to a minimum level. For example, a strong security culture, as described previously, permits GIDANI to have on-time reporting of security incidents. After reporting, the root-cause analysis process, in which the actual reasons for the realization of the incident are identified and corrective actions are implemented, takes over.

For example, a security operator, due to increased stress, may assign incorrect access rights to a retailer manager (one who monitors the status of retailers). This will be reported to the security officer through the processing of alerts and logs (potential access to critical information) and by the role that monitors security records (for every change in user access rights a signed form is required). One could assume that this was an unpredictable event (stressed employee). The truth, however, may relate to an increased workload in defining access rights caused by a major change in the lottery system, which, in turn, makes the user access management procedure too difficult to implement and no longer effective. Through the study of emergence, within the framework of the model, GIDANI is in place to link architectural changes with human factors (usability of security controls), enabling and support (combination of technical and procedural controls), and governing (limited number of employees in relation to the workload), and to correct the user access management procedure on time.

Even then, people will continue to insert uncertainty in the security processes, and some security incidents will still be unavoidable. Through the operation of the model, however, the whole picture of information security will become clear, providing the opportunity to security experts to learn more accurately from mistakes and improve information security.

Conclusion

Information security will be understood, provide added value and effectively contribute to the operation of an organization only if it is designed and implemented as a core ingredient of the business strategy. Stakeholder, shareholder and player trust are the key ingredients of information security in the lottery sector, unveiling its societal, business and legal nature. Organizations from other sectors should identify such key ingredients similarly for providing a business definition to information security.

While technical security controls are important, what distinguishes a typical information security management system from an effective one is the ability to correlate all parameters in the operation of an organization, especially the human factor. While absolute information security is theoretically unachievable, lotteries and organizations alike have the ability to reduce uncertainty and to continuously improve their approaches to making information security a business enabler.

Endnotes

¹ International Organization for Standardization, ISO/IEC 27001:2005, Information technology—Security techniques—Information security management systems— Requirements, 2005
² World Lottery Association, www.world-lotteries.org
³ International Organization for Standardization, www.iso.org
⁴ ISACA, Risk IT: Based on COBIT, www.isaca.org/riskit
⁵ ISACA, COBIT, www.isaca.org/cobit
⁶ ISACA, Business Model for Information Security (BMIS), www.isaca.org/bmis
⁷ PCI Security Standards Council, Payment Card Industry Data Security Standard (PCI DSS), www.pcisecuritystandards.org/security_standards/pci_dss.shtml
⁸ National Institute of Standards and Technology (NIST), Computer Security Division, Computer Security Resource Center, Special Publications (800 Series), http://csrc.nist.gov/publications/PubsSPs.html
⁹ Op cit, ISACA, BMIS
¹⁰ Op cit, ISACA, BMIS

Christos K. Dimitriadis, Ph.D., CISA, CISM
is head of information security at INTRALOT S.A., a multinational supplier of integrated gaming and transaction processing systems based in Greece. In this role, he manages information security in more than 50 countries in all continents. Dimitriadis is a vice president on ISACA’s Board of Directors. He has served ISACA as chair of the External Relations Committee and as a member of the Relations Board, Academic Relations Committee, Journal Editorial Committee and Business Model for Information Security (BMIS) Workgroup. He has worked in the area of information security for 10 years and has 65 publications in the field.

Enjoying this article? To read the most current ISACA^® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute^® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.